Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Allow only certain users to log in via ssh UNIX
Interested in only allowing certain users to log in via ssh? The solution that I used is as follows:
  1. Open the file /etc/sshd_config in your favorite Terminal text editor (you can edit it with TextEdit as well, but you'll have modify permissions in order to save your changes -- so it's just easier to do sudo vi /etc/sshd_config instead).

  2. Add the following line to the end of this file:
    AllowUsers username1 username2
    Replace username1 and username2 with the short usernames of those users who will be able to log in via ssh. You can add as many as you want, separated by spaces.

  3. Restart the ssh daemon (or, as I did, the computer).
Voila! If anyone attempts to log in via ssh with a username that is not in the list after AllowUsers, it will be as if they are trying to log in to an account that does not exist.
    •    
  • Currently 2.00 / 5
  You rated: 1 / 5 (6 votes cast)
 
[16,844 views]  

Allow only certain users to log in via ssh | 7 comments | Create New Account
Click here to return to the 'Allow only certain users to log in via ssh' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Allow only certain users to log in via ssh
Authored by: david-bo on Oct 09, '03 12:01:04PM

Is it possible to allow a user to only open a tunnel, i.e., I want the user to not be able to use the shell?

---
http://www.google.com/search?as_q=%22Authored+by%3A+david-bo%22&num=10&hl=en&ie=ISO-8859-1&btnG=



[ Reply to This | # ]
Allow only certain users to log in via ssh
Authored by: pjw on Oct 09, '03 01:43:10PM

To prevent a user from having shell access, you need to set their login shell to something like /bin/nologin. Open up NetInfo.app and go to the user you want. Change their shell setting from /bin/bash or /bin/tcsh or whatever to /bin/nologin. You can probably also use the chsh command line utility like this:

chsh -s /bin/nologin username

Note: I haven't tested this under OS X and I don't know if it has any adverse effects when the user tries to login locally. They may not be able to use Terminal.app. Give it a try and post here letting us know if it works for you.



[ Reply to This | # ]
Allow only certain users to log in via ssh
Authored by: nmthor1 on Oct 09, '03 07:32:45PM
It seems that users can logon locally, and in fact use the Terminal! The shell defaults to bash.
However, users cannot logon interactively via the console (i.e. using >console at the logon screen) nor via ssh.
-n

[ Reply to This | # ]
Allow certain users only to tunnel
Authored by: datasmid on Oct 27, '04 05:11:43PM

Add something like this before their key in ~/.ssh/authorized_keys2 to allow them a tunnel to this webserver. Beware that there are no spaces.

command="while true;sleep 1000; done",no-pty,permit-open="web.example.intra:80"



[ Reply to This | # ]
AllowGroups
Authored by: extra88 on Oct 09, '03 01:29:04PM
There's also an AllowGroups option. If you add
AllowGroups admin
and restart ssd then only users who are admins can login through ssh.

I believe /etc/group is not used so if you wanted to create your own group in which authorized users would be listed, it would have to be in NetInfo. That would probably be preferable because once you have the AllowGroups line in sshd_config, it doesn't require restarting any process to add or remove access for a user.

The sshd_config man page is a useful read. Note that this link is for whatever the current version of OpenSSH is and may not exactly match the capabilities found in OS X.



[ Reply to This | # ]
Allow only certain users to log in via ssh
Authored by: osxpounder on Oct 09, '03 04:42:10PM

THANKS very much for this; I implemented this hint and tested it right away. This is great; I am now the only user allowed to SSH in to my OSX box.

---
--
osxpounder



[ Reply to This | # ]
Allow only certain users to log in via ssh
Authored by: dlong on Sep 01, '05 01:57:14PM
On a 10.3 box, this configuration has an unintended consequence. (The rsync is version 2.6.2 protocol version 28.) I have a crontab that uses /usr/bin/rsync to copy some files from one machine to another each night, as a backup measure. After adding the "AllowUsers" line to my /etc/sshd.conf file, this rsync can no longer run. The output says simply:

rsync error: error in rsync protocol data stream (code 12) at /SourceCache/rsync/rsync-14/rsync/io.c(342)
Thu Sep  1 02:00:00 PDT 2005
/etc/ssh_config: line 38: Bad configuration option: AllowUsers
/etc/ssh_config: terminating, 1 bad configuration options
rsync: connection unexpectedly closed (0 bytes read so far)
I'd love to use AllowUsers, but not at the expense of breaking rsync! Anyone else experience this, or know of a workaround?

[ Reply to This | # ]